Scan Settings: File Not Found

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select File Not Found.

Options

The File Not Found options are described in the following table.

Option	Description
Determine File Not Found (FNF) using HTTP response codes	Select this option to rely on HTTP response codes to detect a file-not-found response from the server. You can then identify the codes that fit the following categories: Forced Valid Response Codes (Never an FNF): You can specify HTTP response codes that should never be treated as a file-not-found response. Forced FNF Response Codes (Always an FNF): Specify those HTTP response codes that will always be treated as a file-not-found response. Fortify WebInspect will not process the response contents. Enter a single response code or a range of response codes. For ranges, use a dash or hyphen to separate the first and last code in the list (for example, 400-404). You can specify multiple codes or ranges by separating each entry with a comma.
Determine FNF from custom supplied signature	Use this area to add information about any custom 404 page notifications that your company uses. If your company has configured a different page to display when a 404 error occurs, add the information here. False positives can result in Fortify WebInspect from 404 pages that are unique to your site.
Auto detect FNF page	Some Web sites do not return a status "404 Not Found" when a client requests a resource that does not exist. Instead, they may return a status "200 OK" but the response contains a message that the file cannot be found, or they might redirect to a home page or login page. Select this check box if you want Fortify WebInspect to detect these "custom" file-not-found pages. Fortify WebInspect attempts to detect custom file-not-found pages by sending requests for resources that cannot possibly exist on the server. It then compares each response and measures the amount of text that differs between the responses. For example, most messages of this type have the same content (such as "Sorry, the page you requested was not found"), with the possible exception being the name of the requested resource. If you select the Auto detect FNF page check box, you can specify what percentage of the response content must be the same in the Match FNF page with field. The default is 90 percent.

Option

Description

Determine File Not Found (FNF) using HTTP response codes

Select this option to rely on HTTP response codes to detect a file-not-found response from the server. You can then identify the codes that fit the following categories:

Forced Valid Response Codes (Never an FNF): You can specify HTTP response codes that should never be treated as a file-not-found response.
Forced FNF Response Codes (Always an FNF): Specify those HTTP response codes that will always be treated as a file-not-found response. Fortify WebInspect will not process the response contents.

Enter a single response code or a range of response codes. For ranges, use a dash or hyphen to separate the first and last code in the list (for example, 400-404). You can specify multiple codes or ranges by separating each entry with a comma.

Determine FNF from custom supplied signature

Use this area to add information about any custom 404 page notifications that your company uses. If your company has configured a different page to display when a 404 error occurs, add the information here. False positives can result in Fortify WebInspect from 404 pages that are unique to your site.

Auto detect FNF page

Some Web sites do not return a status "404 Not Found" when a client requests a resource that does not exist. Instead, they may return a status "200 OK" but the response contains a message that the file cannot be found, or they might redirect to a home page or login page. Select this check box if you want Fortify WebInspect to detect these "custom" file-not-found pages.

Fortify WebInspect attempts to detect custom file-not-found pages by sending requests for resources that cannot possibly exist on the server. It then compares each response and measures the amount of text that differs between the responses. For example, most messages of this type have the same content (such as "Sorry, the page you requested was not found"), with the possible exception being the name of the requested resource. If you select the Auto detect FNF page check box, you can specify what percentage of the response content must be the same in the Match FNF page with field. The default is 90 percent.

See Also

Scan Settings: Allowed Hosts

Scan Settings: Authentication

Scan Settings: Cookies/Headers

Scan Settings: Custom Parameters

Scan Settings: Filters

Scan Settings: General

Scan Settings: HTTP Parsing

Scan Settings: JavaScript

Scan Settings: Method

Scan Settings: Policy

Scan Settings: Proxy

Scan Settings: Requestor

Scan Settings: Session Exclusions

Scan Settings: User Agent